Offline JWT Validation with Go

oktadev-blog · January 4, 2021, 11:54pm

How to validate a JSON Web Token with Go

oktadev-blog · January 6, 2021, 11:59am

Florian von Bock

Hi Phillip!

There is a high severity bug in jwt-go (CVE assigned: https://nvd.nist.gov/vuln/d… )

It is discussed on the ticket here: https://github.com/dgrijalv…

As the original author/maintainer seems to not be active on the project a couple of fork/fixes have been made. See the ticket for those and/or alternative JWT implementations.

Cheers

oktadev-blog · April 12, 2021, 9:54pm

Joël Franusic

Hi Florian,

Thanks for bringing this up. I haven’t yet tested this, but I believe that Phillip’s example would address this particular CVE since he manually verifies the “aud” claim:

else if token.Claims.(jwt.MapClaims)[“aud”] != “api://default” { errorMessage = “Invalid aud” }

I’m going to look into testing this to be sure, of course. However, at first glance, it seems like Phillip’s code is okay in regards to this specific CVE.

Post		Replies	Views
Which API to use OAuth/OIDC	2	3455	June 25, 2020
OKta JWT verifier is Questions	4	1914	June 9, 2023
Validating JWT Tokens w/o Auth Server OAuth/OIDC dotnet , api	5	6303	January 23, 2024
Authenticating using API Token vs JWT Token OAuth/OIDC	1	4538	February 12, 2024
Okta token validation OAuth/OIDC javascript	3	212	July 25, 2024

Offline JWT Validation with Go

Related topics